How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes

Post navigation

So, you think you’re doing a pretty good job in terms of computer security on your home PC? You’ve kept your computer fully patched against the latest vulnerabilities? You’ve ensured that your PC is running the latest-and-greatest anti-virus updates?

Good for you.

Now, how about your router?

My suspicion is that the typical computer user doesn’t give a second thought about whether their router could be harbouring a security threat, imagining that the devices don’t need to be treated with suspicion.

But if you think that, you’re quite wrong.

Fabio Assolini, a researcher for Kaspersky Labs, gave a fascinating presentation at the Virus Bulletin conference in Dallas last week, describing how more than 4.5 million home DSL routers in Brazil were found to have been silently hacked by cybercriminals last year.

Assolini described in his presentation, entitled “The tale of 1001 ADSL modems: Network devices in the sights of cybercriminals”, how at some Brazilian ISPs, more than 50% of users were reported to have been affected by the attack.

Here’s how the attack came about.

You’re on Google’s website, but you’re not on Google’s website

The first thing users may have noticed is that they would visit legitimate websites such as Google, Facebook and Orkut (a Google social network which is particularly popular in Brazil) and would be prompted to install software.

In the example below, visitors to Google.com.br were invited to install a program called “Google Defence” in order to access the “new Google”.

Note – google.com.br is the correct web address for the Brazilian edition of Google, and Google’s Brazilian website had not been compromised or hacked to make available a malicious download.

And yet, “Google Defence Para” had nothing whatsoever to do with Google, and was being distributed without the search engine giant’s blessing.

How was this possible?

Exploited routers using malicious DNS servers

The answer is that the user’s ADSL modem had been compromised, and the hackers had changed the router’s configuration to point to a malicious DNS (domain name server). This meant that when the user entered the web address of a legitimate website (like google.com.br or facebook.com) they could be taken to a dangerous website instead, posing as the real thing.

Now, normally if you access a router via the internet you will be asked for a username and password – and so long as the user has chosen hard to guess login credentials (and not gone with manufacturer’s defaults) all should be well.

Unfortunately, in this case, the hackers were able to exploit a vulnerability in the Broadcom chip included in some routers. Assolini explained that “the flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the ADSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.”

In short, the exploit allowed malicious hackers to break into millions of routers remotely, without having to know the passwords being used to protect them.

And once there, the hackers were able to change the ADSL modem’s DNS settings – pointing them to one of 40 malicious DNS servers around the world.

The end result is that many Brazilian users downloaded code, mistakenly believing they were from websites they trusted, including:

br.msn.com/ChromeSetup.exe

facebook.com.br/ChromeSetup.exe

facebook.com/ChromeSetup.exe

facebook.com.br/Activex_Components.exe

and many more..

In some cases, the attackers didn’t even have to use such social engineering to trick users into installing the software – exploiting Java vulnerabilities to plant malicious code onto victims’s computers as what should have been trustworthy websites were visited.

Ironically, if users contacted their anti-virus vendor’s tech support line and asked them about the safety of files like facebook.com/ChromeSetup.exe, chances are that the support technician would not be able to locate the file themselves because their own computers were not running through malicious DNS servers.

And, of course, affected users would often be adamant that they had done nothing wrong – certain that their computers were fully updated with patches and anti-virus. But, of course, that didn’t stop the remote attack on their router.

Furthermore, the problem was not just limited to home users. According to Assolini, routers designed for the SOHO market are more commonly encountered than you might imagine on corporate networks, not just in Brazil but worldwide.

Eventually it was discovered that the common denominator between affected computers was that they were all using routers made by one of six different hardware manufacturers.

Fixing the problem, however, was not so easy. The automated remote hacks of millions of ADSL modems had not just changed the devices’ DNS settings – they had also changed the password to access the device to phrases like “dn5ch4ng3” and “cg4ng3dn5”, meaning that users could no longer get in via their admin panels. If only they had known the exploit too..

Hackers reap rewards, and spend it on Rio prostitutes

The motivation for the attack, which impacted millions of Brazilian users, was – of course – money.

Malware installed onto victims’ computers could steal files and keypresses, trick users into entering sensitive information on convincing phishing pages, spy upon passwords and banking information, and provide a flood of data for the hackers to exploit.

Interestingly, in his presentation, Assolini presented an IRC chat between some of the hackers involved in the DNS caper.

One of them described how another hacker earned more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes.

Reasons why routers can be exposed to security threats

So, why is it that routers are seemingly so vulnerable? It turns out there are a few possible explanations.

Poor patching. Despite exploits against a wide range of network devices, modems and routers being publicly available on the internet – some manufacturers have chosen to largely ignore the problem.

That means that even if you want to patch your DSL router against a known security vulnerability, a fix may not be available for you.

Default passwords. In some cases, a vulnerability may not even be needed. For instance, if a device uses a known default password, a malicious hacker does not have to go to any effort to bypass the device’s authentication.

Lack of user awareness. Users of network devices may not be aware that it is necessary to keep them up-to-date with security patches, or that patches are available.

Non-standard update model. The method by which devices are updated can vary from manufacturer to manufacturer, making it more complex for the user.

“Massive attacks are real and here to stay”

Fabio Assolini says that there are number of groups who could carry a proportion of the blame, aside from the hackers themselves.

According to Assolini, security researchers need to be more proactive in reporting flaws related to routers, ADSL modems and other network devices to prevent them from being exploited by malicious hackers. And, of course, the manufacturers have to be responsive.

ISPs are guilty too, says the Kaspersky analyst. He says that it is common for Brazilian ISPs to lend their customers old and vulnerable network devices, and that this is probably happening in other parts of the world too.

And, says the security researcher, governments may not be doing enough. Assolini claims that ANATEL, Brazil’s national agency for telecommunications, approves internet hardware before it can be sold, but it does not verify the security of devices – only standard functionality.

Many thanks to Fabio for a great and thought-provoking presentation. You can read his full paper here.

So what is the best way for an individual to protect themselves against this besides having good passwords and being suspicious of unsolicited software downloads? Should we regularly check our router to see if the DNS have changed? Anything else?

Change the DNS settings on your computer to Google DNS , OpenDNS or you ISP provided DNS, and therefore bypassing the router for DNS lookup…. you may also receive some Web browsing performance benefits from this change…

Surely the main issue here is that these routers shouldn't have their admin interfaces listening on their external IP in the first place? By default they should only listen on their internal interface…

Admittedly if users wanted to enable remote access to their modem for legitimate reasons, they'd still be vulnerable to the CSRF, although I would argue they would be tech-savvy enough to realise something suspicious when asked to download software just to access a website.

My ISP supplied router got hacked last Dec (2016). During my investigations I found that unknown to me up to that point :-
1. It presented it’s browser management interface to the LAN side
2. It had a hidden management sign-on (in addition to the one I used & changed the password on) that wasn’t mentioned in the documentation
3. It had a software vulnerability in its in-built webserver
4. It left it’s TR069 interface open
All of that with “remote management” turned off!
And it got re-hacked within about 20 mins of a factory reset & reinstalling it’s firmware.
My solution was to buy a more secure-able router – expensive, but at least it doesn’t have those vulnerabilities, after I’d finished with it!

More or less, the exploit is run from the victims browser upon visiting a malicious website. Therefore the password change actually occurs from the users internal Lan IP.
Therefore the admin interface doesn’t need to listen on the external IP.

The vendors are to blame, not only for the CSRF weakness in their change password script, which could easily have been avoided by using a randomly generated hidden token on the form (as it is common practice )

But also in other regards the vendor is to blame (external shell access WTF)

No it does not. It does not help with this exploit/hack. Although back in the day it was "thought" that not broadcasting your SSID was a security best practice the traffic, mac addresses of the AP end point are still visible. You can try it out with disabling SSID broadcast and using netstumbler or inssider and you will still see the wireless network though the wifi name is not displayed, the wifi network is "active."

One further thing: as I understand it, the cross-site scripting vulnerability relies on correctly guessing the internal network LAN gateway/ router address. If this is left as the default 192.168.1.1, then the exploit is easy. Changing this address makes it way harder, so change it when you’re setting it up.
Or, manufacturers could randomise it …

Not sure about this brand of routers, but for example the in Germany popular Fritzbox Routers will provide a DNS lookup for themselves. Like fritz.box will always get you to the router , no matter what you change the IP to.

Once, I signed a internet provider, in Brazil. Then, this provider offered me an email account. I already had two email accounts, but I took this new account and never used, never told nobody about it. However, I started receiving email from my bank, the bank from the credit card I used to pay this provider. Of course, the emails were scam. I do not use online banking. In conclusion, I realized the scam was a inside job. People working inside this provider were trying to rip me off. I called to complain about it, and the hung the phone on my face. So, I had to cancel this provider and get another.

For the record, the Belkin SAM300AX (Sterlite) modem from MTNL (Indian government telecom ISP) also has this problem. One sign in Firefox was videos playing, then closing the video caused a window to open to a redirector site that may lead you to malware etc.
Clearing settings caches on the pc wouldn’t fix it. Adblocking will fix some aspects, but will still redirect you to bad places — adblocking is a risky “fix”. A change to trusted DNS is better, or modem replacement is best.